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EXHIBIT C 

System. Firewall. P licy.PolicyAction 

inamespace System. Firewall . Policy ~'~ * •" " ~ 
;{ 

1 public abstract class PolicyAction : PolicyObject 

; . ; ■{ '■■ - • ' '"' \ ■ v-"."' v ""' ' v 

|- // Properties -v 

! public LoggingConfig LoggingConf ig { get { } } 

; //Abstract methods 

j - . • • f * : i - ' . : : ^ s 

i = public abstract bool IsGompatible: ( Pol-dLcyCohdit ion condition); 

PolicyAction is an abstract class that serves as the root class for all specific action classes. 
Whether to log the packet is implied by specifying a non-empty logging configure object. 

Methods 



Method 


Name 


IsCompatible 


Return Type 


Bool 


Description 


Return true if this action can take place at the same layer as the 
condition. Otherwise return false. 


Parameters 


Condition - The condition against which 
this action will be checked. 
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System. Firewall. P licy.FilterAction 

namespace System . Fi rewalT .Pol icy 

[i • — '"' " . 

public class FilterAction : PolicyAction 

! " {. • 

I < .■ . ■-. . . • - ••. . • • . •. ••• ■■■ . .. . • • = • . 

■ public enum FilterActionf ype { Permit, Deny, LogOnly } 

I • > .private Jilt actionType) ; 

j public FilterAction (FilterActionType actionType, LoggingConf ig 

[:;-•! ' \ . \ *' 7-' \ : " > V - " '. ' ' " " 

[logging)':;' . • :\ " 

! . \ public .static readonly FilterAction. Permit. » new FilterAction (Permit) ; 

j :.[■■ Public .static readonly FilterAction Deny = new FilterAction (Deny) ; 

! : . public override fbool IsCompat ible (PolicyCondition condition)' { return true; } 

Iff ; - ; ; , 

!•'"''" ' ' ... • . 

- a--.: . . ^ . ■:. l.; .... . 

FilterAction models the following action scenarios: 

• Permit: Allow packets that match the associating PolicyCondition object. 

PolicyAction action " FilterActio'rK^ermit; '"" 

• Deny: Drop packets that match the associating PolicyCondition object. 

PolicyAction action =~ FilterAction .Deny; 

j _ _ ; . : :"■<.. 

• Permit and Log: Allow and log packets that match the associating PolicyCondition 
object. 

new " ' ~ .* ~:" " ~ : " r 

[FilterAction (FilterAction. FilterActionType. Permit, : - s 

i,. ;•■ >.-.\-r : 

I ■ ■ ; ' ... ' "... :• 

logging) ; ': 



• Deny and Log: Drop and log packets that match the associating PolicyCondition 
object. 

: new FilterAction ( FilterAction . FilterActionType . Deny, 

; logging) / ,, f>: : f: - ; '.' 



• Log Only: Log packets that match the associating PolicyCondition object. 

new ~ — — — -~ ,— ... 

i • : ; . ■ _ .. ■. ' - • • .: : . 

fFilterAetion (FilterAction. FilterAct ionType.LogOnly, 

•logging) ; ' , . - ' • ■ ■•- 



Please note that FilterAction can be associated with any PolicyCondition as it is required that 
all layers in the firewall platform will at least support Permit, Deny and Log actions. 
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System. Firewall. P licy.Instantiati nTemplate 

i namespace System. Firewa 11 . Pol i cy 

< . :. \ ; 

public abstract class Instant iationTemplate : PolicyRule 

1 { 

protected InstantiationTemplate (bool isClientlnstantiation) ; 
, . public bool, IsClientlnstantiation { get { } }; 

public class TransportTemplate : InstantiationTemplate 

[... . public TransportTemplate (TransportLayer layer, FitlerAction action); 
! ' r - ; public TransportTemplate (TransportLayer layer, FilterAction action, 

IPAddressValue remoteAddr, UIntl6Value protocol, UIntl6Value 
• ' remotePort); » 

;> public TransportCondition Condition { get { } } 
[, ... public FilterAction Action { get { } } 

!■ . . •; : " ' : ' : - 

['■} /■ public class IPSecTemplate : InstantiationTemplate 

! { mi ' ' • • ' ; , - • '• ■ 

!' public IPSecTemplate (IPSecAction action) ; 

; public IPSecTemplate (IPSecAction action, IPAddressValue, remoteAddr ess,, 
j: : UIntl6Vaiue protocol, UIntl6Value remotePort j ; ' " : :r: - 

[•• ' : . public TransportCondition Condition { get { } } • 
I public IPSecAction Action {get { } } 

j-: } ... . '. ' ; . 

public class IPSecAuthorizationTemplate : InstantiationTemplate 

! ■ • { 2 11 ■■■ II 

j public I PSecAuthQ.fi zationTemplate (RembteldentityValue remote ID, 

;, FilterAction action); 

! public IPSecAuthorizationTemplate (RemoteldentityValue remotelD, UIntl6Value 
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, protocol , UInt 16Value rlsmotePoft"* n^rterfl^Ton^ctiorT) "; 

' public RemoteldentityValue RemotelD { get { } } 

" public FilterAction Action { get { } } 

| ■ ■ } < ' ' : : : - - - 



Instantiation templates can be any of the following templates: 

- TransportTemplate: the template to be instantiated at the transport layer either 
inbound or outbound. 

- IPSecLayer: the IPsec template to be instantiated at IPSec layer. 

- IPSec Authorization rule template: the authorization template to be instantiated at 
the IPSec authorization layer. 

Each of the above classes provide two constructors. The first one is to be instantiated when 
the associated application rule matched to perform client instantiation. When client 
instantiation takes place, the full 5-tuple is available to instantiate the template. On the other 
hand, if it is not a client instantiation, only local 3-tuple, i.e. local address, protocol, and local 
port, available. This is what the second constructor will be used for. So implicitly, the first 
constructor set the isClientlnstantiation flag in the base InstantiationTemplate class to be true 
while the second one set it to false. The client instantiation templates are instantiated only 
when the full 5-tuple is available while the server instantiation templates only at the time 
when the local 3-tuple is available. 
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System. Firewall. P licy.Applicati nAction 

.namespace System. Firewall . Policy """" " * ' 

.{ ■■ ■ : .. .-. . 

i . public class ApplicationAction : PolicyAction 

( , " v : ' 

public enum ApplicationActionType 

i . Permit/ Deny, Ask, LogOnly 

j . . private; ApplicatioriAction (ApplicationActionType actionType) ; 

| 2 'public ApplicationAction (ApplicationActionType actionType, 

rf LoggingConfig, logging, InstantiateTemplateCollection templates)'; 

I : ; ;;, . ^ V'- >< . • . ^ fc ^ ; : : .. ■ . ." ' ' 

[.'■% . . public static readonly ApplicationAction Permit .= new 

; ApplicationAction (Pern ' .• : f > ; : 

|r ^ 1 public .static.' readonly ApplicationAction Deny = new. Applipat ioriActioh ;( Deny ) ; 
f; . . public static readonly . ApplicationAction Ask = ;new ApplicationAction (Ask) r\ 
j . . •■: .public InstantiateTemplateCollection InstantiationTemplates { get 4} 

;set { } } , ' ' : 

public IPSecProposal IPSecProposal { get { } set { } }; 

public bool, IsAutoInstantiationEnabled {get { } set { } } > ' .< . 

j ■ • public .override bool IsCompatible (PolicyCondition condition);. - - 




The possible ApplicationAction scenarios are as following: 

• Permit: Allow packets that match the associating ApplicationCondition object. 

• Deny: Drop packets that match the associating ApplicationCondition object. 

• Ask: Ask for users' decisions when packets match the associating 
ApplicationCondition object. 



- 75 - 



• Log Only: Log packets that match the associating ApplicationCondition object. 
Methods 



Method 


Name 


GetTemplates 


Return Type 


InstantiateTemplateCollection 


Description 


Return the list of instantiate templates that will be created when this 
application action takes place. 


Parameters 


Condition - The condition against which 
this action will be checked. 
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System. Firewall. P licy.CalloutAction 

namespacV System. Firewall . Policy 

;{. 

! public abstract .class CalloutAction : PolicyAction 

I ' .'.{. ;. ,. ; ,,:4,C-...' : , ".,T' J .; : r . ' ■ . 

! . - ■ . ...... .:••.••/'.,•/ . i ' ..[■' ...._/ ' . . 

.". // Constructors 
i .. . ,•• . s ... .• . .' 

protected Call out Action (Callout obj, CalloutContext cxt) ; 

I ; // Properties 

j • ,: public Callout CalloutModule { get { } } i 

}■-.>.."■ public. CalloutContext Context { get { } set- { } } 

| public override bool IsCompatible (PolicyCondition t condition) ; 

I ' ^ • . . 1 . ...... . ; 

CalloutAction models the callout extensions that the platform provides. When associating 
conditions are matched, the callout action specifies the callout extension that the platform 
needs to invoke. It is used as an extension mechanism to provide additional security 
functionalities like intrusion detection, parental control etc. 



1 Property 


Name 


CalloutModeul 


Description 


The callout module to be invoked when 
the associating condition is matched. 


Access 


Read Only 




Property j 


Name 


CalloutContext 


Descripti n 


The callout specific context information 
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to be passed to the callout module when it is 
invoked. 


Access 


Read/Write 
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System. Firewall. Policy. IPSecAction 

namespace System. Firewall .Policy 
{ 

public class IPSecProposal : CalloutContext 

| public IPSecProposal ( ) ; 

public bool IsPE'SRequired { get { } set { } } 

// A flag indicating if can send in clear (soft SA) when key 

negotiation fails. • := •• ; 

| public b^ { } } 

j '. : public bool IsNATTraversalEnabled { get { } set { } } 

i ' - ; publ i c , Ha s hAl go ri t hm AHT r a ns f o rm { get : { }: set { } } 

•" : public HashAlgorithm ESPIntegrityTransf orm { get {. } set { } } 

! - public Ciper Algorithm ESPCiperTransf orm { get { } set . { } } 

j ; r public uint32 MaxLifetimeSeconds ; { get { } set { } } 

j-?. - ; ^ public { } } ; 

: ' } 1 

j public class IPSecAction : CalloutAction ' • - 



Imoduieiahd 



// Constructors 

// call base constructor with the Callout object for IPSec callout 

// null for context . ' • . ,- ;; =- ^ ■f.~s..;<\ 

• : Public IPSecAction () ; ^ >■ . •• - 

Public IPSecAction (IPSecProposal ctx) ; r ,■ 

%: % ~ r , § • , ; ..... 

: ;' public IPSecProposal Context { get {. } set .{ •} } 



IPSecAction triggers the IPSec callout to set a security context in the matching packets so that 
the packets will be further process by the IPSec driver. It also specifies the actual IPSec 
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configure parameters for securing network traffic, including AH or ESP or both and their 
corresponding transform settings. 
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System-Firewall. P licy.IKEAction 

namespace System. Firewall. Policy 

T 

pulbic enum IKEAuthenticationType 

i ■ ■ 

. ( =. ; ■ 

PresharedKey = 1, 
; Kerberos = 2> 

: Passport = 3, - : . '* .: 

Certificate = 4 . 

! •• V. v : : ' • • : • ( ; ' • .;>/■ ■ : : .' ' ; • ... • .;• • : : ; £- . 

; :• ' \ ■ " 

• public class IKEAuthenticationMethod : : PplicyOb j ect 

< v';. • . • • • ■ ■. 

! protected IKEAuthenticationMethod (IKEAuthenticationType authType) ; 

!•. public static readonly IKEAuthenticationMethod PresharedKey = new 

; IKEAuthenticationMethod (PresharedKey) ; 

• public- static readonly .IKEAuthenticationMethod :: Kerberos = new 
: IKEAuthent icat ; inMethod ( Ke rbe ros ) ; 

: public static readonly IKEAuthenticationMethod Passport = new 

:IKEAuthenticatinMethod( Passport) ; /, 

, . } 

public class Certif icateAuthenticationMethod : : IKEAuthenticationMethod 
{ 

!• . public Certif icateAutenticationMethod () ; f 

[ . public X5p9CertifieateCollection.RootGertificates { get { } set { } } 

W- :< •••;^'« S 111:1 Mi . : : . ;1 ' •• . ... 

: / public enum CipherAlgorithm 

i . .'. - ■ • . .. . 

!5" •'§ ... " ' ' ? 

''7 None, 
DES, 

3DES . ^ . . . 
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public enum HashAlgorlthm 

{ 

None, 

MD5, 

SHA 

} 

public class IKEProposal : PolicyObject 

^ .{-;'■■.-..■■■ V : - v - : : ' ; . 

public IKEProposal (CipherAlgorithm ciper, HashAlgorithm hash); 
// ; . Predef ine high, medium/ and low proposals as static variables . 
public CipherAlgorithm: GiperAlgorithm { get { } } 
i < -public HashAlgorithm HashAlgorithm { get { } } 

! public uint32 MaxLifetimeSeconds { get { } set { } } 
u public 'uint32.MaxLifetimeKilobytes { get { } set { } } 

- • : public uint 32: MaxQuickModeNuitiber { get { } set .{ } } 

j - public class IKEAction : PolicyAction 

:• . { - ' •• , 

. -; : ■ • >, •.■;:..,= . . : ..:v, :! ,,: . . ; . . 

r public IKEAction (IKEAuthenticatipnMethod method) ; ? T ■■ 

)■ // Authentication Method: Pre-shared . key, Kerberos, certificate 

7/ (certificates for outbound, certificates for inbound) • 

• ; .. public IKEAuthenticationMethod AuthenticationMethod { get { } } 

K-.'- < ' ' ' . 

I ' 1/ Proposal for algorithms; etc. . '* 

r •'■ ■ '"' • . • ^ '.; : : ^ / - . . . 

r > public- IKEProposal Proposal { get { . } set { } } 

j " : •' ' -I : ' 

r); -•'•.,..=:,., ; ... . - . . . ...... • . : ; • . .... . , 

IKEAction defines the authentication methods for performing IKE key negotiation protocol, 
which can be either pre-shared key, Kerberos or certificates, and also proposals for 
authentication algorithms. 
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System. Firewall. P licy.KeyingM duleActi n 

names pace ~~Sys tem TfI rewalT. Policy 

;{ 

public class, KeyingModuleAction. : PolicyAction 

; ■■ • : t- • - • ■■>■•;■■* •:■ . ; : . 

! , public enum KeyingModule 

i ■ - ^ • f • , : .. . . , v . ^ ; 

j - •;• • / " . .. . IKE;, ' :' •• • : ' \ . "' y _ ; .• 

| - •• • Mamie 

r' : " - • .- . /V ;'='-.'.■.,..,., :■ . • ■ . ,: : :. :. ';. .. .... : 

I .. •:. - v. . . • , ' , ■■=- •■ • - ... • ■ • • • • ; ' '• 

private KeyingModuelAction (KeyingModule module) ; 
j- .. ; ' • public KeyingModuleAction (KeyingModuleCollection modules); 

[?• . public \static readonly IKE = new KeyingModuleAction (IKE) ; 

j public static readonly Mamie =" new KeyingModuleAction (Mamie) ; 

f ■ ■ ■■ public KeyingModeuleCollection GetKeyingModuies ( ) ; ■ 

; • } . • ' ; : H ' , " • 

o ' ... "y i y y.y ' ■ 1 • • Y-'yyyyy'y : ;} . ; ; ... s ? t-'ty w-r^-. \yrV^.-> ■ • : - •.• • ••• - •• 



KeyingModuleAction selects the specified keying module to perform key negotiation 
exchanges. When more than one is specified, each of the listed keying modules will be tried 
in order until one of them succeeds or all have failed. 



Methods 



Method 


Name 


GetKeyingModuies 


Return Type 


KeyingModuleCollection 


Description 


Return one or more keying modules that may be invoked when this 
action is taken place. If more than one keying modules are listed, they 
will be tried in the order as specified until one of them succeeds or all 
fail. 



- 83 - 







Parameters 


None. 
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